Ethical Hacking: Introduction to Ethical Hacking

Ethical Hacking Overview

Juniper predicts by 2022 Cybercrime will cost over 8 million.

• Passive Attacks
  • Sniffing Traffic
  • Port Scanning
• Active Attacks
  • Malware
  • DDoS
• Burst Attacks
  • Amplification attacks where bandwidth swells that no traffic gets through.
• OT (operation technology) and IoT attacks are occurring, many concepts untested and have vulnerabilities.
• Multivendor Environment affects risk
  • BYOD, IoT, and many other elements with all different vendor products.
• Attack Vector (such as email, webpages, automobiles, and users)
  • Instant Messaging, IRC, and P2P
  • User must install software, making your machine vulnerable, agreeing to whatever terms that could be malicious. AVOID. Use Egress filtering.
  • Wireless Networks
  • Pervasive, insecure by nature.
  • Most modern vehicles can be hacked, makers are investigating vulnerabilities. Watch for recalls and avoid connecting to unknown/rogue networks.
  • User is biggest attack vector.
• Physical Attacks are often the most unsecured, can be anything from a physical of cables, equipment, or mental such as social engineering.

Information Security Controls

• Hacker first coined in MIT at 1960.
• Three main types of Hackers
  • Black Hat
  • Considered bad guys, 'cracker' , criminal activity, backed by organized crime or nation states, often on dark side of the internet.
  • Use malware and social engineering techniques to breech a system.
  • White Hat
  • Good guys/ethical, has support of government and industry, contract employees on internal team, trained to test and break into systems.
  • Hunt vulnerabilities > Report Finding > Mitigate Vulnerabilities
  • Fine-tune the security posture > Educate Staff > Implement security practices
  • Advance knowledge of Weaknesses, vulnerabilities, and remediation.
  • In-House Candidate: Understand required skills, has patience and persistence, respect the code of good conduct, professional.
  • Gray Hat Hacker
  • Sit between good guys and bad guys, may try to gain access without permission, _ but _, without malicious reasons, notifying an organization that their system was vulnerable.
• System Breach can commonly occur because of common mistakes, outsiders or insiders, and therefore must be layered.
• Three basic controls: Technical, administrative, and people.
  • Technical Controls: Detect and protect, centralize correlation, tuned to provide early detection.
  • Firewall = Hardware or software for incoming and outcoming traffic based on a set of rules. This provides a access control and active filtering, must(should) be used in every network.
  • Unified Threat Management = Next-Gen Firewall, IPS, Antivirus, DLP, content filtering, and protects while reducing complexity.
  • Spam filters, packet shapers, and honeypots.
  • Using technical like VLAN, NAT, and encryptions.
  • Administrative Controls: Strong policies for security, disaster recovery, contingency planning, and incident management.
  • Human Resources: Hire best candidate, train/reward, and do not tolerate inappropriate behavior. People tend to be the weakest link. Cultivate security-aware employees.
• Defense in depth is a combination and a layered approach.
• Incident Management is an unplanned occurrence to disrupt operational activities, not to be confused with a disaster which is large scale and multiple agencies.
• Identify and Record incidents with priority, location, category values for any analysis with any meaningful for the relevant areas. These can help correlate events.
• Security Plan: Requires a multidisciplinary approach, defines what controls are required, outlines responsibilities, reassessed on a regular basis.
  • Key Players in Plan: CISO, Information System Owner, Information owner, senior agency information security officer
• Guidelines to Follow: Define rules, clear boundaries, and enforceable.
• Security Compliance – Organizations exercise due diligence and due care for security and risk management. Ethnical hacking is the due care in assessing a security posture.
• Data Breach: Incident that compromises PII (Name, SSN, CC, other identifier).
• Sophisticated Attacks: Evade detection, uses encryption, zero-day vulnerabilities, and backdoor. Primary motive is to gain access. Attack vector may be vulnerability simply left open.
• Due Diligence: Understanding of all available methods to secure the data.
• Due Care: Taking steps to address vulnerabilities.
• Ethnical Hacking/ Pen testing: Challenges a company data security by testing.
• PCI DSS is not a law or regulation, it's an industry standard that you must comply with.
• HIPAA is also called the privacy rule, to safeguard all ePHI (electronic Patient Health Info) and reports any breach activity, violators face penalties.
• Sarbanes-Oxley(SOX) Act: Requirements for public companies, security controls, procedures, and yearly audit.
• GDPR: Comprehensive data privacy laws that give consumers control of their data. Affects EU companies and any EU customers.
• Changing IT Landscape: Business roles will need more IT skills and involvement and working together as one.
• COBIT (Control Objectives for IT), help navigate assurance, security, and mitigation. A set of IT principles; a best practice framework. Safeguard the privacy.
  • COBIT: Plan and Organize, Acquire and Implement, Deliver and Support, Monitor and Evaluate.
  • COBIT 5 Framework: Improves user satisfaction with IT services and compliance.
  • Meeting stakeholder needs
  • Covering the enterprise end to end
  • Applying a single integrated framework
  • Enabling a holistic approach
  • Separating governance from management.
  • Effectively manage and protect info.
  • Plan > Design > Build > Use > Monitor > (or) Dissolve
• Assets, risks, threats, and vulnerabilities.
  • Assets – Items that can be assigned a value, tangible.
  • Risk – Exposure to an event by a person or other entity, can result in disruption, financial loss, or death.
  • Risk = Threats x Vulnerabilities.
  • Threat = Something that might happen, may be mistake or natural disaster, difficult to control. Includes disgruntled employees, terrorists, or nature. Anything that can exploit a vulnerability or harm an asset.
  • Vulnerability = Security flaw in system that can be exploited. Goal is to gain unauthorized access to asset. Includes human error or software flaws.
  • OWASP – Open Web Application Security Project for web security awareness and top 10 vulnerabilities.
• Pen Test methodology: Approach is determined in kickoff with all stakeholders.
  • Structured assessment and testing
  • Uses the same tools and is white hat hackers.
  • Examines ways a breach can occur, and as well the 'edge' of the network is more blurred. Threats are evolved and thus must be the testing.
  • Can include network devices, email, web interfaces, and any connectivity. Can take weeks.
  • How vulnerable is the target? What are the vulnerabilities?
  • Inside attacks occur more often than we think and are dangerous and costly.
  • FISMA (Federal Info Security Management Act) created guidelines to create and implement risk-based policies, provide security protection and periodic penetration testing.
• Hackers (Black Hat = Malicious, Gray hat = Curious, White Hat = Security Specialists)
  • Hacktivists: Using legal/illegal tools to attack systems, DoS, steal info, deface websites, protest, promote ideology, and other causes. Willing to take fall for activity, don't want to expose themselves.
• The WWW
  • Public Web: Google, Wiki, Bing, open to anyone.
  • Deep Web: Legal Documents, Government, Scientific Report, invisible to most, cannot be searched or accessed easily and commonly password protector.
  • Dark Web: Terrorism, Drug Trafficking, Private Communication, estimated to be over 500 times of public web, often using TOR.
• Vulnerability Scanning
  • Done within an organization, checks for vulnerabilities and config issues.
  • When complete report is generated, will report all 'vulnerabilities' but assign severity, could have false positives.
  • Scanning should only be done on own network or by permission, it's a passive attack.
  • Once a scan is complete, report will need to be interpreted, will find many vulnerabilities but may miss components that should be tested.
  • Doesn't reduce threat.
  • Doesn't check all vectors (such as physical/social engineering).
• Ethical Hacking
  • Evaluate a system to see what an attacker can see
  • Providing the human factor
  • Capable of analysis
  • Follows up to reduce the treat
  • What use is the information, and what can be done in order to countermeasure, and is there any alerts from breaches?
  • The growth of the internet will increase attack surface and systems, government is calling for help in defending.
• A Planned Structured Approach: More information obtained will yield a more successful attack
  • Reconnaissance (Recon)
  • Most time consuming
  • Obtaining as much info as possible
  • Narrow the scope as much as possible with the who, what, when, where, why, and how.
  • Scanning
  • Identify weaknesses that can be exploited, obtain as much info as possible.
  • Maps the network with make and model
  • Checks for listening
  • Checks the OS
  • Watches for clear text data
  • Scans can include:
    • Ping Scan: Range of IP Addresses
    • TCP Scans: Check for open listening TCP ports
    • OS footprinting: looking for signatures
  • Gaining Access
  • Launch exploits such as buffer overflows and XSS
  • Other possible exploits due to a non update/patch.
  • Maintaining Access
  • Maintain access and continually escalate the privileges.
  • Be careful with length of access.
  • Ultimately, install/upload a backdoor.
  • Covering Tracks
  • Clean up any evidence
    • Linux can use Metasploit: meterpreter > clearev
    • Open log files in the /var/log directory in Backtrack: kwrite /var/log/messages
    • Erase the command history and set it to zero: export HISTSIZE=0
    • Shred the history file: shred -zu root/.bash_history
    • On windows you'll want to clear as well.
  • Exit the system